Digging the IT Privacy and Security Weekly Update for March 8th., 2022



Daml’ers,

We start by tipping our hats in respect to all those valiantly fighting for democracy in Ukraine.

Then we go on an adventure. This one’s going to get our feet dirty. First with a new use for artificial intelligence, and then while we award Apple a “fail” on the very day it launches its latest raft of products.

We unearth why 9 women might be the right number for the US supreme court on International Women’s Day.

…And then get muddied with an update on the rather unique ransom demands being made of NVIDIA before dishing the dirt on the latest timings for cracking your password.

And at least for this adventure, we have a happy ending.
digging

It’s all part of good discovery, so grab a shovel and let’s get digging!


DK: Roped and Hogtied: Scientists use AI to decode Pig Grunts.

Scientists believe that the AI pig translator – which turns oinks, snuffles, grunts, and squeals into emotions – could be used to automatically monitor animal wellbeing and pave the way for better livestock treatment on farms and elsewhere.

“We have trained the algorithm to decode pig grunts,” said Dr. Elodie Briefer, an expert in animal communication who co-led the work at the University of Copenhagen. “Now we need someone who wants to develop the algorithm into an app that farmers can use to improve the welfare of their animals.”

Working with an international team of colleagues, Briefer trained a neural network to learn whether pigs were experiencing positive emotions, such as happiness or excitement, or negative emotions, such as fear and distress, using audio recordings and behavioral data from pigs in different situations, from birth through to death.

Writing in the journal Scientific Reports, the researchers describe how they used the AI to analyze the acoustic signatures of 7,414 pig calls recorded from more than 400 animals.

While most of the recordings came from farms and other commercial settings, others came from experimental enclosures where pigs were given toys, food, and unfamiliar objects to nose around and explore.

The scientists used the algorithm to distinguish calls linked to positive emotions from those linked to negative emotions.

The different noises represented emotions across the spectrum and reflected positive situations, such as huddling with littermates, suckling their mothers, running about, and being reunited with the family, to negative situations ranging from piglet fights, crushing, castration, and waiting in the abattoir.

The researchers found that there were more high-pitched squeals in negative situations.

Meanwhile, low-pitched grunts and barks were heard across the board, regardless of their predicament.

Short grunts, however, were generally a good sign of porcine contentment.

So what’s the upshot for you? This may pave the way for new automated systems in the livestock industry that monitor sounds on farms and other sites to assess animals’ psychological wellbeing.


Global: Fail the Fix: Apple, Microsoft, and Google all receive poor marks

Laptops and smartphones made by Apple, Microsoft, and Google are considerably less repair-friendly than those made by competitors Asus, Dell, and Motorola, according to a new report.

These findings may be unsurprising to people who like to fix gadgets, but the data to back them up comes from an unusual source: the companies themselves.

The report, released today by the US Public Research Interest Group’s Education Fund, draws on data companies are now releasing in France to comply with the government’s world-first “repairability index” law, which went into effect last year.

The law requires manufacturers of certain electronic devices, including cell phones and laptops, to score each of their products based on how easily repairable it is and make that score, along with the data that went into it, available to consumers at point-of-sale.

So what’s the upshot for you? How did they score? Apple was the worst for phones and laptops. In second worst place was Microsoft for Laptops and then Google for phones.


RU: Stopped on the streets of Moscow? Your phone is not private Anymore.

Police officers in Moscow today are stopping people, demanding to see their phones, READING THEIR MESSAGES, and refusing to release them if they refuse.

This from Kommersant journalist Ana Vasilyeva. https://t.me/C

So what’s the upshot for you? Disable biometric logons.


Global: Hackers Find a New Way to Deliver Devastating DDoS Attacks

Last August, researchers at the University of Maryland and the University of Colorado at Boulder published research showing that there were hundreds of thousands of middleboxes that had the potential to deliver some of the most crippling distributed denial of service attacks ever seen.

<<A Middlebox is a server that fails to follow transmission control protocol (TCP) specifications that require a three-way handshake—comprising a SYN packet sent by the client, a SYN+ACK response from the server, and a confirmation ACK packet from the client—before a connection is established.>>

Last Tuesday, Akamai researchers reported that day has come. Over the past week, the Akamai researchers said, they have detected multiple DDoS attacks that used middleboxes precisely the way the academic researchers had predicted.

The attacks peaked at 11 Gbps and 1.5 million packets per second.

Collectively, our results show that censorship infrastructure poses a greater threat to the broader Internet than previously understood.

Most DoS amplifications today are UDP-based.

The reason for this is that TCP requires a 3-way handshake that complicates spoofing attacks.

Every TCP connection starts with the client sending a SYN packet, the server responds with a SYN+ACK, and the client completes the handshake with an ACK packet.

The 3-way handshake protects TCP applications from being amplifiers because if an attacker sends a SYN packet with a spoofed source IP address, the SYN+ACK will go to the victim, and the attacker never learns critical information contained in the SYN+ACK needed to complete the 3-way handshake.

Without receiving the SYN+ACK, the attacker can’t make valid requests on behalf of the victim.

The 3-way handshake is effective at preventing amplification for TCP-compliant hosts. But in this work, we discover a large number of network middleboxes do not conform to the TCP standard and can be abused to perform attacks.

In particular, we find many censorship middleboxes will respond to spoofed censored requests with large block pages, even if there is no valid TCP connection or handshake. These middleboxes can be weaponized to conduct DoS amplification attacks.

Middleboxes are often not TCP-compliant by design: many middleboxes attempt handle asymmetric routing, where the middlebox can only see one direction of packets in a connection (e.g., client to server).

But this feature opens them to attack: if middleboxes inject content based only on one side of the connection, an attacker can spoof one side of a TCP 3-way handshake, and convince the middlebox there is a valid connection.

Defending against this attack is difficult. The incoming flood of traffic comes over TCP port 80 (normal HTTP traffic) and the responses are usually well-formed HTTP responses.

Since middleboxes are spoofing the IP address of the traffic they generate, this means that the attacker can set the source IP address of the reflected traffic to be any IP address behind the middlebox.

For some networks, this is a small number of IP addresses, but if an attacker uses nation-state censorship infrastructure, the attacker can make the attack traffic come from any IP address within that country.

This makes it difficult for a victim to drop traffic from offending IP addresses during an attack.

There is very little an end-user can do to defend against this sort of attack and completely fixing this problem will require countries to invest money in changes that could weaken their censorship infrastructure, something we believe is unlikely to occur.

So what’s the upshot for you? “Most individuals likely do not need to worry about this attack, but we’ve been working with DDoS mitigation services so they are prepared if the attack is used in the wild.”


US: Cybercriminals who breached Nvidia issue one of the most Unique demands ever

A ransomware group calling itself Lapsus$ first claimed last week that it had hacked into Nvidia’s corporate network and stolen more than 1TB of data. Included in the theft, the group claims, are schematics and source code for drivers and firmware.

A relative newcomer to the ransomware scene, Lapsus$ has already published one tranche of leaked files, which among other things included the usernames and cryptographic hashes for 71,335 of the chipmaker’s employees.

The group then went on to make the highly unusual demand: remove a feature known as LHR, short for “Lite Hash Rate,” or see the further leaking of stolen data.

LHR works by looking for specific attributes of the Ethereum mining algorithm.

When one of those attributes is found, LHR limits the hash rate, which dictates mining efficiency, by around 50 percent. “We designed GeForce GPUs for gamers, and gamers are clamoring for more,” Nvidia officials wrote when unveiling LHR.

So what’s the upshot for you? On Tuesday, Lapsus$ modified its demand. Now, the group also wants Nvidia to commit to making its GPU drivers completely open source. If Nvidia does not comply, Lapsus$ says, the company can expect to see a new leak that would include the complete silicon, graphics, and computer chipset files for all its recent GPUs.


Global: How an 8-character password cracked in < 1 Hr.

Due to the progress in graphics technology, most types of passwords require less time to crack than they did just two years ago. For example, a 7-character password with letters, numbers, and symbols would take 7 minutes to crack in 2020 but just 31 seconds in 2022.

So what’s the upshot for you? Passphrases are often more secure than passwords but are usually easier to remember. For example “sunset-beach-sand” uses words and a dash to separate each word and would take 2 billion years to crack


US: Google Acquires Mandiant

Google is acquiring Mandiant to boost the Google Cloud security business, the companies have confirmed. The price tag is $5.4 billion. The deal surfaces roughly one month after Microsoft apparently explored a Mandiant buyout.

Google has been an active buyer in the cybersecurity market — acquiring Siemplify in January 2022 and investing in Cybereason in October 2021. Those Google acquisitions could set the stage for more partnerships with the cloud and search giant

So what’s the upshot for you? It’s easy enough to see why Google is moving in this direction if you look at the originating countries checking your cloud-based resources.

Remember it’s less than five minutes for the discovery of Internet-facing open ports and if one is misconfigured, removal is going to be a lot more work than you expect.


US: 6 US Govt networks infected by APT41

APT41 is a prolific Chinese state-sponsored espionage group known to target organizations in both the public and private sectors and also conducts financially motivated activity for personal gain.

Although APT41 has historically performed mass scanning and exploitation of vulnerabilities, investigations into APT41 activity between May 2021 and February 2022 uncovered evidence of a deliberate campaign targeting U.S. state governments.

During this timeframe, APT41 successfully compromised at least six U.S. state government networks through the exploitation of vulnerable Internet-facing web applications, often written in ASP.NET.

In most of the web application compromises, APT41 conducted .NET deserialization attacks; however, we have also observed APT41 exploiting SQL injection and directory traversal vulnerabilities.

APT41 was also quick to adapt and use publicly disclosed vulnerabilities to gain the initial access into target networks, while also maintaining existing operations. On December 10th, 2021, the Apache Foundation released an advisory for a critical remote code execution (RCE) vulnerability in the commonly used logging framework Log4J. Within hours of the advisory, APT41 began exploiting the vulnerability to later compromise at least two U.S. state governments as well as their more traditional targets in the insurance and telecommunications industries.
So what’s the upshot for you? Seems there is a pretty healthy infestation in some of these government networks.


Global: Dirty Pipe

Tracked as CVE-2022-0847, the vulnerability came to light when a researcher for website builder CM4all was troubleshooting a series of corrupted files that kept appearing on a customer’s Linux machine. After months of analysis, the researcher finally found that the customer’s corrupted files were the result of a bug in the Linux kernel.

The researcher—Max Kellermann of Ionos—eventually figured out how to weaponize the vulnerability to allow anyone with an account—including least privileged “nobody” accounts—to add an SSH key to the root user’s account. With that, the untrusted user could remotely access the server with an SSH window that has full root privileges.

Other researchers quickly showed that the unauthorized creation of an SSH key was only one of many malicious actions an attacker can take when exploiting the vulnerability.

Other malicious actions enabled by Dirty Pipe include creating a cron job that runs as a backdoor, adding a new user account to /etc/passwd + /etc/shadow (giving the new account root privileges), or modifying a script or binary used by a privileged service.

“It’s about as severe as it gets for a local kernel vulnerability. There’s essentially no way to mitigate it, and it involves core Linux kernel functionality.”

The vulnerability first appeared in Linux kernel version 5.8, which was released in August 2020. The vulnerability persisted until last month when it was fixed with the release of versions 5.16.11, 5.15.25, and 5.10.102.

2022 has already seen one other high-severity Linux vulnerability. PwnKit is also a privilege escalation bug that was discovered in January after lurking in the Linux kernel for 12 years. It too is trivial to exploit and opens the door to numerous forms of malice.

Dirty Pipe also afflicts any release of Android that’s based on one of the vulnerable Linux kernel versions. Since Android is so fragmented, affected device models can’t be tracked on a uniform basis. The latest version of Android for the Pixel 6 and the Samsung Galaxy S22, for instance, run 5.10.43, meaning they’re vulnerable. A Pixel 4 on Android 12, meanwhile, runs 4.14, which is unaffected. Android users can check which kernel version their device uses by going to Settings > About phone > Android version.

So what’s the upshot for you? One mitigating factor is that the kernel version that introduced the vulnerability, 5.8, is relatively new. Many production servers aren’t running 5.8.


Global: 20 million UPS units exposed to takeover

https://download.schneider-electric.com/files?p_Doc_Ref=SEVD-2022-067-02

Three zero-day vulnerabilities identified in Schneider Electric’s APC brand uninterruptible power supplies (UPS) could allow an attacker to not only gain a foothold on the unit’s network but even potentially “disable, disrupt and destroy” the UPS and attached assets. More than 20 million devices are affected.

Armis researchers found three separate zero-day vulnerabilities in APC Smart-UPS units, each of which has its own CVE number:

  1. A TLS buffer overflow (CVE-2022-22805)
  2. A TLS authentication bypass (CVE-2022-22086)
  3. An unsigned firmware bug (CVE-2022-0715)

Both TLS exploits are triggered using unauthenticated network packets, while the third requires the attacker to craft a malicious firmware update triggering its installation via the internet, a LAN connection, or using a thumb drive. This is possible because the affected devices don’t have their firmware updates cryptographically signed in a secure way.
So what’s the upshot for you? If your devices are affected, it’s essential that you upgrade their firmware as soon as possible. Both Schneider Electric and Armis said there’s no evidence that these vulnerabilities have been exploited, but it’s only a matter of time.


Global: Patch Tuesday for Microsoft

This was a big one with vulnerabilities in multiple Windows products and components, some serious enough to lead to remote code execution attacks. The big one on the list is the [Exchange Server] vulnerability that would allow an authenticated attacker to execute their code with elevated privileges through a network call.

This is also listed as low complexity with exploitation likely.

Bugs in Microsoft Defender, Microsoft Office, and Windows Event Tracing also got updates.

So what’s the upshot for you? Over 70 different issues were addressed.


Global: Mozilla addresses two actively exploited zero-day flaws in Firefox

The Cybersecurity and Infrastructure Security Agency (CISA) added two critical security vulnerabilities in Mozilla Firefox, tracked as CVE-2022-26485 and CVE-2022-26486, to its Known Exploited Vulnerabilities Catalog.

Successful exploitation of the flaws can cause a program crash or execute arbitrary commands on the machine.

Yesterday Mozilla has released Firefox 97.0.2, Firefox ESR 91.6.1, Firefox for Android 97.3.0, and Focus 97.3.0 to address the two zero-day vulnerabilities that are actively exploited in attacks.

The US agency has ordered federal civilian agencies to address both issues by March 21, 2022.

So what’s the upshot for you? Two weeks to update your firefox browser? It should already be set to auto-update.


US: Annual Threat Assessment of the US Intelligence community.

U.S. intelligence leaders and House lawmakers on Tuesday signaled they remain on edge that Russia could unleash a digital salvo on the country, and its allies, as Moscow’s invasion of Ukraine escalates.

The various remarks — made during the public segment of the House Intelligence Committee’s annual worldwide threats hearing — are the latest acknowledgment that, while Russia has engaged in some malicious activities against Ukraine, the Kremlin has yet to fully deploy its legions of hackers and that what until now have been minor skirmishes could grow into full-scale, online conflict with ramifications for the rest the world.

This report provides the US intelligence communitys’ perspective and lines up with what was said in the House of Representatives today.

So what’s the upshot for you? They are not pulling any punches in this report


US: Women in IT Privacy and Security

https://www.isc2.org/-/media/ISC2/Research/2021/ISC2-Cybersecurity-Workforce-Study-2021.ashx

Women make up just 25% of the cybersecurity workforce, according to a recent (ISC)² report. It’s better than years past, but we can do better. As we focus on bringing more women into the industry, we acknowledge the role women have played over the years to help shape the cybersecurity landscape.

We’ve also come a long way since a grassroots movement led by Chenxi Wang and Zenobia Godschalk after the 2014 RSA Conference thankfully helped end the what-used-to-be-common practice of using “booth babes” — or models in scantily clad attire stationed at vendor booths — at trade shows and other events across the cybersecurity industry. We are seeing conscientious efforts to address overt denigration and objectification of women, as well as mindfully name more women security professionals as speakers and advisers.

Today women hold high-profile CISO positions. Last year, for example, Jen Easterly became the first woman named as director of the Cybersecurity and Infrastructure Security Agency (CISA).

So what’s the upshot for you? When late U.S. Supreme Court Justice Ruth Bader Ginsburg was asked how many of the nine judges on the Supreme Court should be female — and at what point there would be enough women on the bench — she said, “When there are nine.” Why not? As she noted, “Nine men was a satisfactory number until 1981.”


US/UK: Reasons to be cheerful: optimists live longer, says study

https://www.pnas.org/doi/10.1073/pnas.1900712116

“Given prior work linking optimism to longevity, healthy aging, and lower risks of major diseases, it seemed like a logical next step to study whether optimism might protect against the effects of stress among older adults,” said Dr. Lewina Lee, a clinical psychologist at the Veterans Affairs Boston Healthcare System and assistant professor of psychiatry at Boston University.

People who have a rosy outlook on the world may live healthier, longer lives because they have fewer stressful events to cope with, new research suggests.

Scientists found that while optimists reacted to, and recovered from, stressful situations in much the same way as pessimists, optimists fared better emotionally because they had fewer stressful events in their daily lives.

How optimists minimize their dose of stress is unclear, but the researchers believe they either avoid arguments, lost keys, traffic jams, and other irritations or simply fail to perceive them as stressful in the first place.

Previous studies have found evidence that optimists live longer and healthier lives, but researchers still do not completely understand why having a glass-half-full attitude might contribute to healthy aging.

So what’s the upshot for you? Look around. It’s obvious. All the optimists are right here with you reading this!


digging


That’s it for this week. Stay safe, stay, secure, stack the shovels in the barn… and we’ll see you in se7en,